CentOS Stream 9
Sponsored Link

SELinux : Search Logs
2022/03/11
 
Access OK or Deny decisions by SELinux are cached once and Denial Accesses are sent to Log files.
Cache of SELinux is called AVC (Access Vector Cache) and Denial Accesses are called [AVC Denials].
AVC Denial Log is generated via Systemd Journald or Audit Service, so it needs either of service is running.
If Rsyslog Service is running (enabled by default), logs are also put on [/var/log/messages].
[1] When Systemd Journald or Rsyslog service is enabled, AVC Denial Logs are recorded to Journald and [/var/log/messages].
[root@dlp ~]#
journalctl -t setroubleshoot

Mar 10 21:57:34 dlp.srv.world setroubleshoot[1840]: AnalyzeThread.run(): Cancel>
Mar 10 21:57:34 dlp.srv.world setroubleshoot[1840]: failed to retrieve rpm info>
Mar 10 21:57:35 dlp.srv.world setroubleshoot[1840]: SELinux is preventing /usr/>
Mar 10 21:57:35 dlp.srv.world setroubleshoot[1840]: SELinux is preventing /usr/>
.....
.....

[root@dlp ~]#
grep "setroubleshoot" /var/log/messages

Mar 10 21:57:35 dlp setroubleshoot[1840]: SELinux is preventing /usr/sbin/smbd from watch access on the directory /home/share. For complete SELinux messages run: sealert -l 08f68245-f415-4f55-a5d5-7a9a27beba12
Mar 10 21:57:35 dlp setroubleshoot[1840]: SELinux is preventing /usr/sbin/smbd from watch access on the directory /home/share.#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow samba to export all rw#012Then you must tell SELinux about this by enabling the 'samba_export_all_rw' boolean.#012#012Do#012setsebool -P samba_export_all_rw 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that smbd should be allowed watch access on the share directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'smbd-notifyd' --raw | audit2allow -M my-smbdnotifyd#012# semodule -X 300 -i my-smbdnotifyd.pp#012
[2] When Audit service is enabled, AVC Denial Logs are recorded to [/var/log/audit/audit.log].
[root@dlp ~]#
grep "avc: .denied" /var/log/audit/audit.log

type=AVC msg=audit(1644986614.918:178): avc:  denied  { mac_admin } for  pid=1933 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
type=AVC msg=audit(1646971053.926:140): avc:  denied  { watch } for  pid=1794 comm="smbd-notifyd" path="/home/share" dev="dm-0" ino=61100 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1646971053.927:141): avc:  denied  { watch } for  pid=1794 comm="smbd-notifyd" path="/home/share" dev="dm-0" ino=61100 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
[3] For Messages via Auditd, it's possible to search them with [ausearch] command.
[root@dlp ~]#
ausearch -m AVC

----
time->Thu Mar 10 21:57:33 2022
type=PROCTITLE msg=audit(1646971053.926:140): proctitle=2F7573722F7362696E2F736D6264002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
type=SYSCALL msg=audit(1646971053.926:140): arch=c000003e syscall=254 success=no exit=-13 a0=f a1=7ffcf269679c a2=210003c0 a3=7ffcf2695fd0 items=0 ppid=1792 pid=1794 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd-notifyd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1646971053.926:140): avc:  denied  { watch } for  pid=1794 comm="smbd-notifyd" path="/home/share" dev="dm-0" ino=61100 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
----
time->Thu Mar 10 21:57:33 2022
type=PROCTITLE msg=audit(1646971053.927:141): proctitle=2F7573722F7362696E2F736D6264002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
type=SYSCALL msg=audit(1646971053.927:141): arch=c000003e syscall=254 success=no exit=-13 a0=f a1=7ffcf269679c a2=210003c6 a3=7ffcf2696740 items=0 ppid=1792 pid=1794 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd-notifyd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1646971053.927:141): avc:  denied  { watch } for  pid=1794 comm="smbd-notifyd" path="/home/share" dev="dm-0" ino=61100 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
[4] For Messages via Auditd, it's possible to show summary reports with [aureport] command.
[root@dlp ~]#
aureport --avc


AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 02/15/2022 22:43:19 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 166
2. 02/15/2022 22:43:19 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 167
3. 02/15/2022 22:43:19 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 168
4. 02/15/2022 22:43:34 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 175
5. 02/15/2022 22:43:34 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 176
6. 02/15/2022 22:43:34 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 177
7. 02/15/2022 22:43:34 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 178
8. 03/10/2022 21:57:33 smbd-notifyd system_u:system_r:smbd_t:s0 254 dir watch unconfined_u:object_r:user_home_dir_t:s0 denied 140
9. 03/10/2022 21:57:33 smbd-notifyd system_u:system_r:smbd_t:s0 254 dir watch unconfined_u:object_r:user_home_dir_t:s0 denied 141
Matched Content